18

Up until now, I was pretty confident that it was pretty much impossible to list all the domains handled by a nameserver.

But apparently, there exists a couple of websites on the Internet that are able to list all the domains registered in a namerserver.

For example:

Or all domains pointing to a specific IP :

(These DNS/IP were picked at random)

Do you know how it's done ?

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
Florian
  • 281
  • 1
  • 2
  • 5
  • 1
    You can also view a list of all domains that use a specified nameserver at http://viewdns.info/reversens/ – hughesey Apr 04 '15 at 01:23

8 Answers8

10

There are two ways that a domain name => DNS server map can be constructed:

  1. Zone file access: some registries grant access to their zone files to their registrars and other entities. This makes it pretty easy to determine which domains in those zones are delegated to a given DNS server. This is how DomainTools.com provides their Name Server Spy product. This is the most reliable method, but is obviously limited to the zone files that they have access to.
  2. Passive DNS. This involves examining traffic through recursive DNS servers at ISPs and reconstructing zone data based on what's seen. This method lets you discover information from the entire DNS space, but is less reliable as changes take longer to appear in your database, and won't recover information about domains that get little or no queries.
Gavin Brown
  • 103
  • 9
  • Take into account that second method (Passive DNS) will be restricted with the use of DoH https://en.wikipedia.org/wiki/DNS_over_HTTPS – gavioto20 May 27 '20 at 16:31
3

As far as I know they're just building a database of domain names and the associated authoritative name servers. You're just searching that database with their web interface and seeing a list of results that, through "normal" DNS channels would be rather difficult to get (w/o generating a lot of queries). It's a little bit like a telephone "reverse directory"-- it's the same information that DNS gives out to normal SOA lookups, but given to you in a bit of a "backward" manner to facilitate types of searches that would normally be difficult.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
2

It's not actually querying the nameservers. It has a database of domains and just looks to see what the NS records for each domain are. Your original assesment is correct, don't doubt yourself :)

Will
  • 816
  • 2
  • 9
  • 17
1

Does this not work off what domain robtex has "seen" before? It doesn't detect what domains are on a NS, it just lists what domains it's looked up before that have that NS.

Coops
  • 5,967
  • 1
  • 31
  • 52
  • Fun fact: on robtex.com I just queried some domain I own, and it still don't show when searching by IP after that. – Arjan Jul 17 '09 at 12:13
  • I guess there is some sort of delay whilst it compiles the data. One question, why has robtex got so popular recently? – Coops Jul 17 '09 at 12:49
0

Many years ago, NSI used to share the .com zone with it's parters. From this file, you could figure out which nameservers where hosting which domains. But I don't think that file has been available for several years because it allowed spammers to figure out all the domains in the .com domain and spam them.

Walter
  • 1,047
  • 7
  • 14
0

I've just run my info through both those sites. The first returned only 2 out of 5 domains. Interestingly, those are .com domains, whereas the other 3 are .com.au domains. The second site appears to just do a revers DNS query and is therefore only showing what I have set, not the domains being hosted.

Edit: I thought I'd try the gwebtools site against my secondary DNS server, just out of curiosity. It returned zero domains.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
0

You can check name server spy, This website can show you how many and which domains registered in each nameserver.

-1

Spyonweb.com also provides this information. It also show all dns servers registered in certain IP address.

Anton
  • 129
  • 4